Harsh Lessons Learned by Linkedin

This week saw proof that a breach is not just about what is released at the time, but it can come back to haunt you years later.

A 2012 breach of LinkedIn user data was believed to have contained “close to 6.5 million unsalted password hashes” and for this writer, it taught me a lot about salting and hashing as LinkedIn raced to fix the issue.

This was far from the end of the story – it was later reported that a quarter of a million users did not receive a breach notification, while it also faced a $5 million lawsuit over the breach.

As we saw this week, the story was far from done, as CISO Cory Scott – who will present at this year’s Infosecurity Europe – posted a blog about the breach. Scott joined the company eight months after the breach, and he said that at the time “our immediate response included a mandatory password reset for all accounts we believed were compromised as a result of the unauthorized disclosure”.

This week LinkedIn became aware of an additional set of data that had just been released that claims to be email and hashed password combinations of more than 100 million LinkedIn members from that same theft in 2012.

Scott said: “We are taking immediate steps to invalidate the passwords of the accounts impacted, and we will contact those members to reset their passwords. We have no indication that this is as a result of a new security breach.”

He later confirmed that it had begun to invalidate passwords for all accounts created prior to the 2012 breach who had not updated their password since that breach, and an email was sent to those users.

“We have demanded that parties cease making stolen password data available and will evaluate potential legal action if they fail to comply,” he said. “In the meantime, we are using automated tools to attempt to identify and block any suspicious activity that might occur on affected accounts.”

In an email to Krebs on Security, LinkedIn spokesman Hani Durzy said the company had obtained a copy of the 117 million record database, and that LinkedIn believes it to be real and related to the 2012 breach. “How many of those 117m are active and current is still being investigated.”

Those details were put up for sale online with an asking price of $2,200 and include email addresses, as well as poorly scrambled passwords.

Trent Telford, CEO at Covata said that it is concerning that LinkedIn underestimated the scale of this breach and points to the need for better investigative tools once a breach happens. “What’s more, while the passcodes were protected with a level of encryption, it’s clear that this was nowhere near robust enough to properly protect user details.

“Arguably, what is the point of encrypting something, if you don’t know who or why you are giving a key to someone? This is why verifying identity and creating stringent policies should be cornerstones in enterprise encryption strategies.”

Analysis of the passwords by Korelogic found that it contained 164,590,819 unique email addresses, 177,500,189 unsalted SHA1 password hashes, and 61,829,207 unique hashes. “This means there are duplicates, and this is good for password researchers because it allows us to come up with statistics of how often certain passwords are used,” it said.

What is unsurprising is the passwords used: 123456; linkedin; password; 123456789, qwerty and other commonly used passwords.

Raimund Genes, CTO of Trend Micro, said in a blog that questions remain about the breach, specifically how did a breach of this scale remain hidden? Does this tell us who was responsible for the breach in the first place, and how the information was used?

Jason Hart, CTO of Data Protection at Gemalto, said: “Passwords are not secure, no matter how complicated or clever we make them. Making them more complex, per the stern instructions we receive when setting up our myriad personal and professional accounts, only really helps to prevent an amateur intruder from guessing the password.

“The other, more obvious problem with complex requirements for passwords is that they become so difficult to remember that users end up using the same one for everything. This makes full-on identity theft (now the leading motivation behind data theft) even easier once that password has been stolen. LinkedIn offers a number of excellent protection tools like email challenges and dual factor authentication. However, these only work if the user remembers to activate them. Given the current security climate, all online companies should have multi-factor authentication activated by default for all online accounts.”

Quentyn Taylor, ‎Director of Information Security at Canon for EMEA, pointed out on Twitter that if the passwords are four years old, then your password is also four years old and if shared across multiple sites, “you have issues”.

Password hygiene is especially apparent in these times of breaches and Rapid7’s research data showed that compromised credentials are a concern among 90% of companies, and 60% could not detect attacks that use compromised credentials.

I’ve followed the advice of many others and used a password vault app in an effort to create and store secure passwords, but we continue to have the issue that passwords are often created and recalled for convenience rather than security.

Steven Hope, CEO of Authlogics, said: “This case illustrates the need for organizations to be proactive in consigning passwords to history, for the sake of the security of their operations and protection of their customers and members.” Authlogics offered its PINgrid solution free-of-charge, in order to safeguard its 100 million members from future password attacks.

“Authlogics is offering LinkedIn Corporation the opportunity to give every member the option to use PINgrid, enabling them to log-on quickly and securely from every device. What is more, we can offer the option to deploy as either a 1.5 or full two-factor authentication solution. We very much hope that they take advantage of this unprecedented offer.”

What this incident should prove is that one breach does not end with the company blog post. With the GDPR set to cause compliance among businesses from 2018 and demand mandatory breach notification, the detection of what has left the business will become more important than ever and until that is the case, spotting that a breach from four years is more than ten times bigger than expected will cause serious lost sleep.

LinkedIn CISO Cory Scott will present on Tuesday and Wednesday on the keynote stage at Infosecurity Europe